Method and arrangement for automatically controlling access between a computer and a communication network

ABSTRACT

The present invention relates to a device and method for increasing the security for a computer or server adapted for communication with a communication network, for example the Internet. The method for automatically controlling access between the computer and the communication network arranges the access to be dependent on user activity. The user activity is determined by monitoring signal activity between the computer and at least one input/output device adapted for communication with the computer, and the user activity being defined as detection of signal activity between the computer and the input/output device. Access to the communication network is only allowed if user activity is occurring or has occurred in a predetermined time period.

The present invention relates to an apparatus and method for increasingsecurity in data communication systems, in particular, to impedeintrusion from and unwanted access to a communication network from acomputer or server.

BACKGROUND OF THE INVENTION

The modern use of computers and communication networks has seen anincreasing demand for having almost all computers, both in domestic useand in office use, connected to a network at all times, especially toInternet. The advantages of being “always” connected are many, forexample fast access to the information available on Internet, theability to receive and send e-mails without noticeable delays andnotification of other incoming messages such as fax transmissions,Internet calls etc. However, the massive flow of information incombination with most computers having network connections has increasedthe vulnerability of the communication networks and the individualcomputers. Examples of the vulnerability of the systems include thedevastating effects of computer viruses of various kinds, intrusion by“hackers” into corporations and governments computer systems, fraudulentuse of credit cards/bank accounts by monitoring money transfer viaInternet and unauthorized access to crucial business information.Another type of misuse of the computer networks that recently has arisenis, without knowledge of the owner, to use a company's server orsomeone's domestic computer for storing and distributing files. This istypically done by intruders for the purpose of not having to provide thestorage capacity themselves and/or to store and distribute material ofdubious or illegal character, such as unauthorized copies of music ormovies. A specially dangerous and deceptive type of virus is the socalled Trojan horses and worms. This types of virus typically enters thecomputer in an e-mail or a file fetched from the Internet. In thecomputer the virus program can for example send files and/or informationsuch as passwords to an Internet address. An intruder may then use theinformation send by the Trojan horse to access the computer and sincethe virus has provided the intruder with all relevant information thisintrusion will appear like an authorized access to the computer.

Today attempts to intrude a computer or server often include the use ofa number of viruses as well as other methods of gaining access to, andeven control over, the target. Such a destructive program package mayinclude one virus shutting down antivirus and virus warning software,one program looking for ways of getting access to the computer and yetanother program searching for passwords, usernames and addresses.

Many computers today are provided with cameras, microphones or othercommunication devices, typically for the purpose of being able tocommunicate with voice and picture over the Internet. If an intrudergets control over such equipped computer, for example by use of a Trojanvirus, it will be fairly easy for the intruder to use for example thecomputers microphone for overhearing and recording a conversation takingplace in the room where the computer is situated. This can obviously beused for espionage and other forms of criminal activities.

The predominant way of addressing security issues in today'scommunication networks is by the use of “firewalls”. Firewalls oftencombine use of proxy servers and filtering techniques such as statefulinspection filter to reduce the possibilities for unwanted access andattacks of viruses. For a comprehensive description of common currentsecurity measures see for example “Datakonmmunikation i praktiken”,chapter 20, Kent Mayer, Pagina.se 2001. Although, in many wayseffective, the Firewalls need to be continuously updated and maintainedby skilled personnel in order to maintain an acceptable level ofprotection. This is time-consuming and costly, both in man-hours and inupgrading equipment. For smaller businesses, and for persons wanting tohave their home computers connected to a network, the installation offirewalls, and in particular the maintenance of them, can be too costlyor too complicated, to be considered economically justifiable.

Another area of security is within internal networks, often so calledintranets. An organisation's intranet may be protect from outsideattacks by firewalls. However, information, which is not meant to beseen by everyone, is often created and shared within the organisation.It is often fairly easy to, within an intranet, look into or copy thework of others.

Thus, although the introduction and widespread use of Firewalls, and theassociated proxy servers and techniques for filtering, has greatlyincreased the level of security in communication networks, there is aneed for solutions further improving the security. Not at least forsmall entities and home users, not having the economical means ortechnical competence needed for installing and maintaining a securitysystem based on Firewalls.

SUMMARY OF THE INVENTION

One object of the present invention is to provide method and device forimproving the security of computers and/or servers which are connectedto a communication network that overcomes the drawbacks of the priorart.

A further object of the present invention is to reduce the risk of thatthe computer and to it connected input/output devices is used forspying.

An important observation, which should be considered as part of theinvention, made by the inventors, is that the length of a time-periodduring which a computer or server is connected to a network is highlyrelated to their vulnerability for intrusions. By being always connecteda computer can be subjected to hackers attempts continuously, and as thebreaking of passwords, codes and encryption often is a time-consumingprocess an unlimited access to the target computer or computer system isoften a prerequisite for the “success” of the intruder. By reducing thetime-periods of network connection the possibility for an intruder togain access to and control over a computer is significantly reduced.Also the search for entities to attack is a time-consuming procedure,and by not being connected at all times, i.e. not being “seen” on thecommunication network at all times reduces the possibility of beingpinpointed as an interesting entity to intrude.

It is not sufficent to stop the attacks from the outside. Attacks fromthe inside, for example made by viruses of Trojan or worm type, mustalso be stopped. The risk of a virus of this type sending outinformation is significantly reduced if the time the computer isconnected to the data communication network is reduced. As discussedabove an intrusion often involves a number of methods and viruses ofdifferent type. In the following, viruses of Trojan or worm type areused as examples since they are well known and documented viruses. Theseare to be regarded as exemplary and the use of the present invention isnot limited to these.

Therefore, it is the aim of the invention to minimize the time acomputer or a server is connected to a network in a manner that does notintroduce any significant inconvenience for the user or that does notimpede the performance of the computer and its applications.

The above described is crucial if no other measures of security has beentaken, for example in a typical domestic use of a computer. But also insystems which utilize means for security such as firewalls the principleof reducing the time connected to the network will limit thepossibilities for attempts by hackers and therefore increase thesecurity.

In addition, the previously described unacknowledged use of a networkcomputer or a server for storing and/or distributing files iseffectively prevented if the computer/server is not connected forextended periods. That computer/server will simply not be an interestingtarget for the potential intruder.

In the method and device according to the invention the access between acomputer and a communication network is arranged to be dependent on useractivity. In particular user activity is defined as signal activitybetween the computer and at least one input/output device.

According to another aspect of the invention the input/output devicesare categorized as main input/output devices and secondary input/outputdevices. The connection to the secondary input/output device is arrangedto be dependent on user activity.

One advantage afforded by the present invention is that the time periodin which the computer is accessed to the communication networksignificantly reduced.

Another advantage afforded by the invention is that net accesscontroller prohibits access to the network if an unwanted network accesshas previously been attempted.

Yet another advantage is that a user is provided with the possibility toclose the access to the communication network.

A further advantage is that secondary input/output devices can betemporarily disconnected.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described in detail with reference to thedrawing figures, in which

FIG. 1 a is a schematic drawing illustrating the use of the net accesscontroller according to the present invention;

FIG. 1 b is a block diagram illustrating the net access controlleraccording to an embodiment of the present invention;

FIG. 2 is a flowchart illustrating one embodiment of the presentinvention;

FIG. 3 is a flowchart illustrating one embodiment of the presentinvention;

FIG. 4 is a flowchart illustrating one embodiment of the presentinvention.

FIG. 5 is a flowchart illustrating one embodiment of the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

In a first embodiment of the present invention, described with referenceto FIG. 1 a, a device according to the invention, hereafter referred toas the net access controller controls the access to and from acommunication network to and from a computer. The computer 100 isconnected to a variety of input/output devices such as a keyboard 105, amouse 110 and a screen 112. As appreciated by the skilled in the art alarge number of different type of input/output devices are possible,including cameras, microphones, joysticks, digitizers, printers,scanners and loudspeakers, and the above mentioned should be consideredas examples commonly used in many applications. The computer 100 isconnected to a communication network 120, typically through astandardized interface 125 and a cable 130. The network connection isdone via a net access controller 135, according to the invention. Thenet access controller 135 is in addition connected to a one or more ofthe input/output devices such as the keyboard 105, mouse 110 and screen112 through cables 140, 145 and 150 respectively. The connectionsbetween the different units have here been illustrated with cables. Asapparent to the skilled in the art other types of communication meanssuch as short distance radio, e.g. Bluetooth™ and IR couldadvantageously be used for interconnecting the units. The networkconnection, as well as the type of network can be of many differenttypes, including Local Area Network (LAN), Wireless Local Area Network(W-LAN), modem- or ISDN-connection, Asymmetric Digital Subscriber Line(ADSL) or any kind of broadband.

A main functional part of the net access controller is a switch whichinterrupts the physical connection of the computer to the communicationnetwork 120. The switch is operated by a system functionally separatedfrom the communication network. The switching functionality of the netaccess controller ensures that the computer will be impossible to accesswithout permission from the user, as well as it will be impossible forthe computer to access the communication network 120 without permissionfrom the user. The principle functionality as well as differentembodiments will be described below.

The net access controller 135 with the above indicated features can berealized in various ways, one exemplary realisation will be describedwith reference to FIG 1 b. The net access controller 135 comprises anI/O signal monitoring unit 160, which provide connectors 161 andsuitable interfaces for the Input/Output devices such as the keyboard105, mouse 110, microphone 111, screen 112, Speaker 113, Camera 114 andSecure Login devices 115, as well as a network in-connection 162, anetwork out-connection 164. The I/O signal monitoring unit 160 analysessignalling activity from the I/O devices and the network connections,and is connected to a processing module 165. The processing module 165is typically a software programmable integrated circuit and may comprisea logging function 166, a private security mode (PSM) function 168 and aquarantine function 169. The processing module 165 controls a switch175, which in turns control the access to the network by opening andclosing of the circuit between the network in-connection 162 and thenetwork out-connection 164. The switch 175 may in addition be controlledby controlling means 180, for example a button on the outside surface ofthe Net Access controller, for manually switching the switch 175 on andoff. In certain embodiments the net access controller is provided with acomputer interface 172 for communication with the computer 100 and acommunication interface 173 for communication with other net accesscontrollers. The net access controller may additionally be provided witha communication module 185, which is capable of communicating with acommunication system other than the data communication network which thecomputer 100 is connected to. The communication device may for examplebe a GSM unit for data communication over the air interface. The NetAccess controller may further be provided with displaying and indicationmeans for example an LCD and LEDs 186.

In the above description the switch 175 is typically a switch transistoror a relay. As appreciated by the skilled in the art the switchingfunctionality may be achieved in a number of ways. In certainapplications, for example if radio or fiber optics is used for thenetwork connection it may be more technical feasibly to, instead ofswitching off the network with a relay, to open the connection to thepower supply to the UARTs or to the transceiver circuits. The switch andthe switching functionality should be regarded as ways of securely turnoff the possibility of establishing and maintaining communicationbetween the computer 100 and the communication network 120.

Methods and means for detecting signalling activity from I/O devicessuch as a mouse is known in the art, and is commonly used for screensavers, to save energy and to prolong usage time in for example batteryoperated laptop computers. Usage and detection means are described infor example U.S. Pat. Nos. 6,000,003 and 5,481,732. In the presentapplication the signal activity is typically detected as the existenceof a physical signal in for example the cable connecting an I/O unit tothe computer. Such signals are often hard, or even impossible, togenerate by for example a “hacker” trying to take control of thecomputer via the internet connection. Hence, to determine user activityon the physical signalling between I/O units, especially “dumb” I/Ounits such as a mouse, and the computer could offer a high security thanrelaying on higher level information originating from program functionswithin the computer, as the latter could more easily be generated by anintruder or a virus.

As appreciated by the skilled in the art the net access controller canbe realised in many ways. The signal detection part can be made withanalogue circuits and the processing module with use of digital logic.Alternatively most of the net access controller can be made almostentirely with software controlled circuits, utilizing for exampledigital filters in the signalling detection part.

Described with reference to the flowchart of FIG. 2 is the principleoperation of a first embodiment of the net access controller accordingto the invention. In the following algorithms “user activity” is definedas any signalling activity from the I/O units corresponding to a useractively using the computer. It should be understood that the signalactivity could be the very existence of a carrier wave or a relevantelectrical signal between an I/O unit and the computer. The informationcontent does, typically and preferably, not need to be revealed andanalyzed. It is the signal itself in its physical existence that is ofprimary interest. However, in certain application it may be useful toalso analyze the information content in the signalling between an I/Ounit and the computer, and the following algorithms are easily adaptedto such applications. “Net related user activity” is defined as from thecomputer outgoing signalling to the communication network 120 and isindicative of an activity initiated by the user e.g. checking ofincoming e-mails. “Net activity” is defined as signalling from thecomputer to the network which does not relate to a user activity i.e. inmost cases an unwanted network activity. The same definitions are usedfor all embodiments.

-   200: In a first step 200 the net access controller is in a first    monitoring mode. The access to the communication network 120 is    closed i.e. no communication can be made to or from the computer    100. In the first monitoring mode the net access controller will    continuously check the user activity and the net related user    activity according to the above definition, as described in step    205-210.-   205: The net access controller will in step 205 check the user    activity. If no user activity it goes back to step 200. If user    activity is detected i.e. signalling activity to and/or from the    input/output devices 105, 110 and 115 it proceeds to step 210.-   210: In step 210 the net access controller check for net related    user activity. If no such activity is detected there is no    indication of the user wanting access to the communication network    120 and the switch 175 keeps the access to the communication network    closed. If net related user activity is detected the algorithm    proceeds to step 215.-   215: In step 215 the Net access Controller opens the access to the    communication network, allowing access for example to the Internet.    It should be stressed that two criteria have to be fulfilled for the    net access controller to open the access: user activity and net    related user activity.-   220: After opening of the access, the Net Access Control enters, in    step 220, a second monitoring mode characterized by continuously    monitoring of the net related user activity.-   225: In step 225 the net access controller check for net related    user activity. If net related user activity is detected, which is    indicative of the user still actively uses computer applications    needing network communication, the algorithm goes back to step 220.    If no such activity is detected the algorithm proceeds to step 230.-   230: Step 230 consists of waiting a predefined period of time,    t_(w). The purpose of the waiting time is to not let the short    periods without signalling that typically appears in all    communication, cause a closing of the network access.-   235: In step 235 the net related user activity is again checked. If    net related user activity is detected, this is an indication of that    the result (no activity) of step 225 was due to short break in the    communication and not an indication of the termination of the    computer application requiring network communication. In this case    the net access controller will stay in the second monitoring mode    i.e. go to step 220. If no net related user activity is detected the    algorithm proceeds to step 240.-   240: In step 240 the net access controller closes the access to the    communication network, not allowing any communication to or from the    communication network 120. The net access controller goes back to    the first monitoring mode, i.e. go to 200.

The above described “continuously monitoring”, utilized in both thefirst and the second monitoring modes, must not be strictly continuous.The monitoring will be typically performed at regular time intervals,the intervals chosen so that for all applications executed on thecomputer the monitoring is, by the user, perceived as being continuous.

The predefined period of time, t_(w), which the net access controllerwaits before switching the network connection off, is a parameter thattypically is set by the user. A method of entering the time-period,t_(w), as well as other user specific parameters will be described in afurther embodiment of the invention. The purpose of introducing thewaiting time and the procedure according to step 225-235 is to not letthe short periods without signalling that typically appears in allcommunication, cause a closing of the network access. As appreciated bythe skilled in the art this could be implemented in various ways. Forexample having a fixed wait time and requiring a number (possible set bythe user) of consecutive detections of net related user activity.

Parameters representing a typical usage of the net access controller arepreferably set by the manufacturer. The user may want to, oninstallation or during maintenance, change some of the parameters. Inone embodiment of the invention the net access controller 135 isprovided with the computer interface 172 and means for communicatingwith the computer. This could be with any of the communication ports andprotocols which a computer typically is equipped with such as the serialRS-232, parallel ports or USB. User specific parameters and settingssuch as the timeperiod, t_(w), are entered to the computer 100 andtransmitted to the net access controller via the computer interface 172and with the aid of a software program executed on the computer and inthe processing module 165 of the net access controller. Of importancefor maintaining the increased security provided by the net accesscontroller the communication between the net access controller and thecomputer should be performed in a manner that is not possible to controlremotely by an intruder. Preferably, the communication should not bedone via the network connection cables or the with the protocolstypically used in the computer networks. Typically the connection isused only for limited time intervals during a set-up procedure or duringtransfer of log information (se below). Information is when sharedbetween the computer and the net access controller and preferablyimmediately after the information transfer the connection to thecomputer is securely terminated, for example with a switch electricallyseparating the units. Alternatively, as appreciated by the skilled inthe art, other means of setting parameters in the net access controllercould be utilized, the net access controller could for example beprovided with a simple I/O device.

In one embodiment of the invention the net access controller 135 isprovided with a logging function 166, capable of detecting thesignalling activity to and from the network connection 120 and storing alog of attempts from the computer to access the communication networkand possible also contacting attempts from the communication network tothe computer. Any attempts from the computer 100 to access thecommunication network 120, when such attempts are not to be expected,i.e. the case of no user activity in the first monitoring mode may bestored in the log. Such attempts could be an indication of a virus ofTrojan-type residing in the computer and trying to make contact to theinternet. The log of contacting attempts may be presented to the user ona display on the net access controller. Alternatively the log istransmitted from the net access controller to the computer through thecommunication interface 172, possibly for further processing withsuitable software in the computer 100. Likewise may the net accesscontroller be used to log contacting attempts from the communicationnetwork 120 to the computer 100. The communication between the netaccess controller and the computer should preferably be strictlyone-directional, preventing any changing in the settings of the netaccess controller, but allowing the logging and alarming information tobe transferred to the computer.

Alternatively, if the computer is in active use, but no net related useractivity is taking places (first monitoring mode), the user can bealarmed by the net access controller, via the communication interface172, or via an audiovisual alarm-signal, of a contacting attempt. Theuser may then either approve the attempt or disapprove it.

In the above described embodiments the switching off of the network hasprimarily been done by the net access controller 135 automatically basedon user activity and net related user activity. In addition the netaccess controller 135 can be used to quickly disconnect from thecommunication network 120, either by order the switching off from thecomputer 100 or from some means of remote control. Alternatively the netaccess controller can be provided with a button, which when manuallypressed by the user immediately switches the network connection off. Thenet access controller will now be in a secure mode, referred to as“private security mode” (PSM). The private security mode can be reset,i.e. allow access to the communication network, by again pressing thebutton, from the computer 100 or via the means of remote control. Theuse of this feature would for example be in the above described scenarioof the net access controller detecting and sending an alarm onsignalling activity indicative of unwanted intrusion. Another use may bewithin an intranet i.e. an office internal communication network. Withinsuch network the security is often low, as one of the main purposes ofthe intranet is to share information in a convenient way. Although, theopenness of the intranets in many cases is a wanted feature,occasionally a member of the intranet handles information that is notintended for everyone. By the use of the private secure mode of the netaccess controller the member may switch off the intranet access, forexample while working on a document containing sensitive information.After storing the document in a way which is not accessible from theintranet, for example on a removable hard disk or a cd, the access tothe intranet is switched on again, i.e. the private security mode isreseted.

As an alternative or complement to an alarm signal, calling for actionfrom a user, the net access controller 135 may on the detection of anunexpected attempt of access to the communication network 120 switch offthe network access automatically. This will put the net accesscontroller in a “quarantine mode” (QM) not allowing any network accessbefore the quarantine mode has been reset by an action of the user, forexample pressing a button on the net access controller.

The above embodiments of the net access controller 135 can beincorporated with only slight changes to the algorithm described withreferences to the flowchart of FIG. 2. These changes will be describedwith references to FIG. 3. The algorithm has been provided with twoadditional steps, 202 (placed between steps 200 and 205) and 220 (placedbetween steps 222 and 225).

-   202: In step 202 the algorithm controls if the private security mode    (PSM) or the quarantine mode (QM) has been activated by the user, or    automatically by the net access controller, respectively. If either    of the modes are active the net access controller will remain in the    First Monitoring mode, i.e. not open the access the network, until    the PSM or the QM is reset by the user.-   222: In step 222 the algorithm again controls if the private    security mode (PSM) or the quarantine mode (QM) has been activated    by the user, or automatically by the net access controller,    respectively. If either of the modes are active the net access    controller will immediately close the Access to the network, i.e.    goes to step the First Monitoring mode, i.e. not open the access the    network, until the PSM or the QM is reset by the user.

The quarantine mode (QM), automatically activated by the net accesscontroller offers increased security and possibility to track and takeactions against for example viruses of Trojan type. A method of usingthe QM will be described with references to the flowcharts of FIGS. 2, 3and 4. If in step 205 no user activity has been detected the algorithmperforms a check if the computer tries to initiate net activityaccording to the following steps:

-   400: In step 400 the net access controller check for attempted net    activity, by monitoring the from the computer 100 outgoing signals.    If no attempted net activity is detected the algorithm goes back to    its first monitoring mode 200. If the net access controller detects    signalling attempts from the computer to the network the algorithm    proceeds to step 405.-   405: In step 405 the quarantine mode (QM) is activated. The    quarantine mode (QM) can only be reset by an action by the user.-   410: In an optional step 410, the attempt to access the    communication network is stored in a log, which as above described    may be presented to the user in a number of ways. After step 410 (or    405) the net access controller returns to its first monitoring mode    200.

It should be noted that during the above routines the access to thenetwork has never been opened. The quarantine mode (QM) assures that theuser has a possibility of taking appropriate actions, for examplerunning a program that detects and removes viruses or spy software,before the access to the network is reopened.

Alternatively the QM could be activated by unexpected signalling fromfor example an I/O device such as a camera or a microphone. Suchsignalling can be an indication of someone trying to use the computerfor spying. The I/O devices are in this embodiment divided in maindevices such as mouse, screen and keyboard and secondary I/O devicessuch as microphone or a camera. How the I/O devices are categorized istypically dependent on commonly used applications and set by the user.User activity is now defined only from the main I/O devices, i.e. step205 comprises of monitoring signalling activity to/from the main I/Odevices. Step 400 will now also comprises monitoring signalling activityfrom the secondary I/O devices and if net activity and/or signallingactivity from secondary I/O devices is detected the QM is activated.This use of the QM mode can be given the general description thatcertain predefined combinations of signalling activity/lack of activityshould result in activation of quarantine mode (QM).

In a further embodiment of the invention the security is furtherincreased by letting the net access controller not only monitors butalso can disconnect selected I/O devices. The net access controller 135is further provided with switching means connected to some or all of theI/O connectors 161. After predefined time period, t_(z), in the firstmonitoring mode, without any user activity, the net access controllerdisconnect pre-selected I/O devices. Preferably all I/O devices aredisconnected except secure login devices for example fingerprintverification scanner, eye scanner, transponder, smartcard readers, keysetc. In this mode, the I/O security mode (I/O-mode), the net accesscontroller is used not only for blocking unwanted access to/from thecommunication network, but also to increase the security if someone, onlocation, tries to gain access to the computer via the I/O devices. Inthe I/O-mode, the only way to get access to the computer is via the I/Odevice, preferably a secure login device, specified in the net accesscontroller. After an authorized access the net access controller returnsto the first monitoring mode and hence allows communication between thecomputer and the I/O devices. The user may have specified that in thisstep not all I/O devices are connected, only I/O devices considered tobe essential are connected. The net access controller may in addition beequipped with an alarm function issuing an audiovisual alarm and/or analarm via the communication module 185. The alarm function is arrangedto be activated if for example any I/O cables are removed from the netaccess controller—this being an indication of an intruder trying tobypass the I/O-mode. The alarm may additionally be used to protect fromtheft of the computer, parts of the computer or the net accesscontroller.

A method of using the I/O-mode will be described with references to theflowcharts of FIGS. 2, 3 and 5. If in step 205 no user activity has beendetected the algorithm comprises the following steps:

-   500: In step 500 waiting a predefined time t_(z).-   505: In step 505 the check for user activity is repeated. If user    activity is occurring go to step 200, if not:-   510: In step 510 the I/O-mode is activated i.e. the connections to    pre-selected I/O devices are closed. Preferably all I/O devices    except the secure login device are disconnected.-   515: During the I/O-mode the net access controller monitors one or    more connections to selected secure login devices. If no access    attempts are detected or an access attempt failing to correctly    authorize the algorithm remains in the I/O-mode. If in an authorized    access is detected the algorithm proceeds to step 520.-   520: In step 520 the I/O-mode is deactivated and the algorithm    returns to the first monitoring mode (200).

The possibility provided by invention to block the communication betweenselected I/O devices and the computer can be used to customize thecomputer and the I/O devices to different applications and situation. Inthis embodiment the user specifies to the net access controller certainI/O devices to be in active use, all other I/O is then disconnected bythe net access controller. The function is activated either on the netaccess controller, remotely via the communication device 185, or fromthe computer. The user may for example chose to have the keyboard,screen and mouse connected, but disconnects the microphone. Thisfunction can be used with all of the above described modes and reducesthe risk of I/O devices such as microphones and cameras are used forspying.

The use of the net access controller 135 has here been illustrated inconnection with a single computer. The net access controller could alsoadvantageously be utilized in a client-server network. A number of, orall, of the client computers can be provided with net access controllersaccording to the invention. The plurality of net access controllers arein communication with each other or a central communication unit and thesystem may for example be used to turn off the server, or the server'soutside network connection if no net related user activity is detectedby the net access controllers. The system may also be used for rapidlydisconnecting a number of computers from the internet if a warning of avirus attack is received.

In a further embodiment of the invention the switch controlling theaccess to the communication of the net access controller 135, isprovided with means for remote control of the switch 175. To keep thesecurity at a high level the remote controlling means should not beaccessible through the common data communication networks such asIntranet. The remote controlling could for example be made through atelephony system such as GSM. The net access controller 135 is provided,as illustrated in FIG 1 b, with a communication module 185, which hasthe functionality of a GSM-phone. The module is provided with asubscriber number and the capabilities of decoding and processing datatransmitted in an SMS (Short Messaging Service) MMS (MultimediaMessaging Service) or via OTA (Over The Air message) or by use of theGPRS-standard. The use of the communication device is manifold: a) thelog of the logging function is transmitted by the communication deviceto a system responsible, b) parameters setting up the net accesscontroller is transmitted and entered to one or more net accesscontrollers in a secure and convenient manner, c) in case of avirus-warning a message is remotely sent to the communication modulewhich initiate that the network connection is switched off, d) a commandswitching off all computers network access can be rapidly transmittedwith a group SMS or a broadcast message, e) allowing secure access to acompany's internal network for authorized outside user, for example anemployer wanting to work from home and accessing the company's network.

In the latter case the access to the communication network is switchedoff. If an authorized user wants to access the server or computerthrough the communication network, the user first switches the networkconnection on through the communication module 185. This procedure mayinvolve the following steps:

-   -   a. Calling the communication module 185 (GSM module) by a normal        calling procedure and with the use of DTMF give a PIN-code and a        code corresponding to changing the switch to “on”. Alternatively        an SMS including a PIN-code and a code representing “on” can be        transmitted to the GSM module or any other presently available        or future means for packet data transmission can be used.    -   b. The code representing the “on” position of the network switch        is interpreted by the net access controller 135 and the switch        changed to allow connection to the network.    -   c. The authorized user can now access the server/computer,        preferably with typical security measures including specifying        user name and password.    -   d. After the session is over the authorized user can, similar to        in step a), through the GSM module, order the net access        controller to switch the network connection off. Alternatively,        or as a further security measure, the net access controller 135        can switch the network connection off after a predefined period        of time with no signal activity in the network connection.

As appreciated by the skilled in the art, most existing and futuretelecommunication systems including TDMAThe use of the net accesscontroller according to the invention will significantly increase thesecurity. The invention may also advantageously be utilized incombination with known security methods and products such as antivirussoftware, firewalls and encryption. The usefulness of the invention canbe illustrated with the combined use of encryption. Today's advancedencryption techniques provide an acceptably safe transfer of a messageor document via the Internet. However, at some point the message ordocument has to be decrypted by the receiver. During the decryption andwhile the document is in a non encrypted format, the user can activatethe private security mode of the net access controller to make sure thatno access to the communication network is possible. Hence, not only thetransfer but also the weaving and processing of a message can beperformed with high security.

A future use of the net access controller is in the area ofIP-telephony. The signal detection and alarm possibilities of the netaccess controller may advantageously be utilized to notify a user of anincoming IP-telephony call and to open the connections necessary forreceiving the call, including the access to the communication networkand connections to appropriate I/O devices such as microphone, speakersand camera.

From the invention thus described, it will be obvious that the inventionmay be varied in many ways. Such variations are not to be regarded as adeparture from the spirit and scope of the invention, and all suchmodifications as would be obvious to one skilled in the art are intendedfor inclusion within the scope of the following claims.

1. A method for automatically controlling access between a computer anda communication network, which method comprises the steps of: monitoringuser activity by monitoring physical signal existence from at least oneinput/output device adapted for communication with the computer, andwherein a detection of physical signal existence from the input/outputdevice is an indication of user activity; monitoring net related useractivity by monitoring signal activity from the computer, and wherein adetection of physical signal existence from the computer is anindication of net related user activity; automatically allowing accessfrom at least one of the computer to the communication network andaccess from the communication network to the computer, upon firstdetecting user activity and subsequently detecting net related useractivity; a first monitoring mode prohibiting access between thecomputer and the communication network, the first monitoring modecomprises step of: monitoring user activity; monitoring, upon useractivity having been detected, net related user activity; and changing,upon both user activity and net related user activity having beendetected, from the first monitoring mode to a second monitoring mode; asecond monitoring mode, allowing access between the computer and thecommunication network, the second monitoring mode comprises step of:monitoring net related user activity, and upon net related user activitybeing free of detection in a predefined period of time (tw), changing tothe first monitoring mode not allowing access between the computer andthe communication network, wherein the method is performed by aprocessing unit within a communication network access controller that isadapted for connection between an interface and the communicationnetwork through which interface the computer is connected to saidcommunication network, the communication network access controller isfurther connected to one or more input/output devices, and whichcontroller being in the first monitoring mode is adapted forinterrupting the communication between the computer and thecommunication network by interrupting the physical connection of thecomputer to the communication network.
 2. The method according to claim1, wherein the changing of modes is initiated manually.
 3. The methodaccording to claim 1, wherein the input/output devices includes at leastone of the devices: keyboard, screen, mouse, camera, microphone,joystick, scanner or secure login devices.
 4. The method according toclaim 1, wherein the input/output devices comprises at least oneinput/output device defined as main input/output device and at least oneinput/output device defined as secondary input/output device, and useractivity is defined as signal activity from the at least one maininput/output device.
 5. The method according to claim 1, wherein themethod further comprises a private security mode (PSM) which isactivated and deactivated by the user, an activated PSM implying thataccess between the computer and the communication network is notallowable and a deactivated PSM implying that access between thecomputer and the communication network is allowable, the methodcomprising the further steps, to be taken in the first monitoring mode,of: determining upon the PSM being activated; and upon both useractivity and net related user activity being detected and upon PSM beingfree of activation allowing access between the computer and thecommunication network, and the method comprising the further steps, tobe taken in the second monitoring mode, of: determining PSM activation;and upon PSM being activated, changing to the first monitoring mode notallowing access between the computer and the communication network. 6.The method according to claim 1, wherein the method further comprises aquarantine mode (QM) which is activated automatically, an activated QMimplying that access between the computer and the communication networkis not allowable, the method comprising the further steps, to be takenin the first monitoring mode, of: determining QM activation; and uponboth user activity and net related user activity being detected and uponQM being free of activation, allowing access between the computer andthe communication network, and the method comprising the further steps,to be taken in the second monitoring mode, of: determining QMactivation; and upon QM being activated changing to the first monitoringmode not allowing access between the computer and the communicationnetwork.
 7. The method according to claim 1, wherein the method furthercomprises a quarantine mode (QM) which is activated automatically, anactivated QM implying that access between the computer and thecommunication network is not allowable and/or a private security mode(PSM) which is activated and deactivated by the user, an activated PSMimplying that access between the computer and the communication networkis not allowable and a deactivated PSM implying that access between thecomputer and the communication network is allowable, the methodcomprising the further steps, to be taken in the first monitoring modeof: determining at least one of the PSM and the QM being activated;monitoring user activity, and upon no user activity being detected andupon PSM or QM being free of activation, monitoring net activity, andupon net activity being detected, performing the steps of: activatingthe QM; and logging the detected net activity.
 8. The method of claim 1,wherein the detection of signal activity between the computer and theinput/output device is unrelated to input to any particular program. 9.A communication network access controller for increasing security of acomputer connected to a communication network, the net access controllercomprises: means for detecting user activity arranged to be connected toat least one input/output device and arranged to monitor physical signalexistence from the input/output device to the computer; means fordetecting net related user activity arranged to be connected between thecomputer and the communication network and arranged to monitor physicalsignal existence between the computer and the communication network andthe communication network; means for controlling access between thecomputer and the communication network, which controlling access meansis arranged to interact with user activity detecting means and the netrelated user activity detecting means, the access controlling meansadapted to provide a first monitoring mode of the communication networkaccess controller prohibiting access between the computer and thecommunication network, and a second monitoring mode of the networkaccess controller allowing access between the computer and thecommunication network, and the access controlling means arranged to, inthe first monitoring mode, upon the user activity detecting means firstdetects user activity and the net related user activity detecting meanssubsequently detects net related user activity, automatically set thecommunication network access controller into the second monitoring mode,and in the second monitoring mode 220, upon the net related useractivity detecting means does not detecting any net related useractivity in a predefined period of time (t_(w)) set the communicationnetwork access controller into the first monitoring mode; connectingmeans to connect the net access controller to a connection between aninterface through which the computer is communicating with saidcommunication network and the communication network; switch meanscontrolled by said controlling access means to interrupt thecommunication between the computer and the communication network byinterrupting the physical connection of the computer to thecommunication network.
 10. The net access controller according to claim9, wherein the network access controller further comprises means foractivating the switch means a predetermined period of time after useractivity was detected.
 11. The net access controller according to claim9, wherein the network access controller further comprises powerreduction means connected to said control means and arranged to blockthe computer from the communication network.
 12. The net accesscontroller according to claim 11, wherein the network access controllerfurther comprises means for activating the power reduction means apredetermined period of time after user activity was detected by the netaccess controller.
 13. The net access controller according to claim 9,wherein the input/output devices comprises at least one of or thedevices: keyboard, screen, mouse, camera, microphone, joystick, scanner,or secure login devices.
 14. The net access controller according toclaim 9, wherein the net access controller further comprises means forgenerating and storing a log of attempts to access the communicationnetwork from the computer.
 15. The net access controller according toclaim 9, wherein the net access controller further comprises means forgenerating and storing a log of attempts to access the computer from thecommunication network.
 16. The net access controller according to claim9, wherein the net access controller further comprises a communicationmodule for communication via a second communication network differentfrom said communication network.
 17. The net access controller accordingto claim 16, wherein the second communication network is a wirelesstelephony system.
 18. A system comprising a computer, at least oneinput/output device adapted for communication with the computer via anet access controller wherein said net access controller comprises:means for detecting user activity arranged to be connected to at leastone input/output device and arranged to monitor a signal existencebetween the computer and the input/output device; means for detectingnet related user activity arranged to be connected between the computerand the communication network and arranged to monitor signal existencebetween the computer and the communication network; means forcontrolling access between the computer and the communication network,which controlling access means is arranged to interact with useractivity detecting means and the net related user activity detectingmeans, the access controlling means adapted to provide a firstmonitoring mode of the communication network access controllerprohibiting access between the computer and the communication network,and a second monitoring mode of the network access controller allowingaccess between the computer and the communication network, and theaccess controlling means arranged to, in the first monitoring mode, uponthe user activity detecting means first detecting user activity and thenet related user activity detecting means subsequently detecting netrelated user activity, automatically set the communication networkaccess controller into the second monitoring mode, and in the secondmonitoring mode, upon the net related user activity detecting means doesnot detecting any net related user activity in a predefined period oftime (t_(w)) set the communication network access controller into thefirst monitoring mode; connecting means to connect the net accesscontroller to a connection between an interface through which thecomputer is communicating with said communication network and thecommunication network; switch means controlled by said controllingaccess means to interrupt the communication between the computer and thecommunication network by interrupting the physical connection of thecomputer to the communication network.
 19. The system according to claim18, wherein the net access controller further comprises a communicationmodule for communication via a second communication network differentfrom said communication network.
 20. The system according to claim 19,wherein the second communication network is a wireless telephony system.